Minos: A Tool for Capturing
and Analyzing Novel Worms
for Unknown Vulnerabilities
Jedidiah R. Crandall
Frederic T. Chong, Zhendong Su, S. Felix Wu
Computer Science Department
University of California at Davis
Outline
 What
is control data?
 Motivation
 Biba’s low-water-mark integrity policy
 The Minos architecture
 Security assessment
 A few nasties Minos has caught
 Future Work
What is control data?
 Any
data which is loaded into the
program counter on control flow
transfer, or any data used to calculate
such data
 Control data is not executable code
Motivation
 Control
Data Attacks
 Buffer
overflows, format string attacks,
double free()s, …, much more
 These
attacks cost users billions of
dollars a year
 Remote
intrusions
 Cleaning up worms
 SPAM and DoS from botnets
Minos Security Claims
 Control
data attacks constitute the
overwhelming majority of remote
intrusions
 Minos protects against remote control
data attacks based on using memory
corruption to hijack the control flow of a
process
Securing Commodity Software
 Flat
memory model is ubiquitous
 Minos supports code as data
 JITs
 Dynamic
 No
library linking
program-specific policies,
recompilation, or binary rewriting
Biba’s Low-water-mark
Integrity Policy
 Security
policies
 Integrity
 Confidentiality
 Availability
 Tracks
the “taintedness” of data
 Access controls are based on accesses
a subject has made in the past
Biba’s Low-water-mark
Integrity Policy (Formally)

Any subject may modify any object if…


Any subject may read any object


The integrity of the object is not greater than that
of the subject
The subject’s integrity is lowered to the minimum
of the object’s integrity and it’s own
Notorious for its monotonic behavior
 Is Biba’s policy the best fit?
The Minos Architecture



Tag bits in L1
and L2 cache
DRAM
VM details are
in the MICRO
paper
Gratuitous Dante Quote
Minos the dreadful snarls at the gate, … and
wraps himself in his tail with as many turns
as levels down that shade will have to dwell
Two Implementations
 Linux
 Windows
Whistler and XP
 Full system emulation
 Bochs
Pentium Emulator
OS Changes
 Read
system call forces data low
integrity unless…
 The
ctime and mtime of the inode are
before an establishment time …OR…
 The inode points to a pipe between
lightweight processes that share the same
address space
 Network
sockets, readv()s, and pread()s
are forced low integrity unconditionally
OS Changes (continued)
 Establishment
time requirement applies
to mmap()ed files
 A static binary may be mounted and
executed if it is flushed to the disk first
 More user friendly methods of defining
trust could be developed
One Month of a Minos Web Server
SPEC2000 gcc
Security Assessment
 Real
attacks
 Many
return pointer protection papers
erroneously cite Code Red as motivation
 Two attacks (innd and su-dtors) caused
changes to our original, simple policy
 Attacks
specifically designed to subvert
Minos
 3 actual remote attacks
Attacks We Attacked Minos With
Real Vulnerability?
Remote?
Vulnerability Type
Caught?
rpc.statd
Yes
Remote
Format string
Yes
traceroute
Yes
Local
Double free()
Yes
su-dtors
Yes
Possibly remote
Format string
Yes
wu-ftpd
Yes
Remote
Format string
Yes
wu-ftpd
Yes
Remote
Heap globbing
Yes
innd
Yes
Remote
Buffer overflow
Yes
hannibal
Yes
Remote
Format string
Yes
Windows DCOM
Yes
Remote
Buffer overflow
Yes
Windows LSASS
Yes
Remote
Buffer overflow
Yes
tigger
No
Local
long_jmp() buffer
Yes
str2int
No
Local
Buffer overflow
Yes
offbyone
No
Local
Off-by-one buffer overflow
Yes
virt
No
Local
Virtual function pointers
Yes
envvar
No
Local
Environment variables
Yes
longstr
No
Local
Hypothetical format string
Yes
A Fundamental Tradeoff

Can only do
one of these
Check
the
integrity of
addresses used
for 32-bit loads
or stores
chunk prev_size
size
User data…
nextchunk prev_size
Check the
integrity of both
size
operands to an
User data…
operation for all
operations
Related Works

G. Edward Suh, Jae W. Lee, David Zhang,
and Srinivas Devadas. “Secure Program
Execution via Dynamic Information Flow
Tracking”, ASPLOS XI.


Makes an exception for addition of the base and
offset of a pointer
James Newsome and Dawn Song. “Dynamic
Taint Analysis…”, NDSS 2005.

Default policy does not check the addresses of
any loads/stores
Specific Concerns for Minos
 Arbitrary
copy primitives (because the
integrity of addresses for 32-bit
loads/stores are not checked)
 Sandboxed
 Dangling
 Need
PLT
pointers
arbitrary copy primitive
 Information
Flow Problems
Information Flow Problems
if (LowIntegrityData == 5)
HighIntegrityData = 5;
HighIntegrityData =
HighIntegrityLookupTable[LowInteg
rityData];
HighIntegrityData = 0;
while (LowIntegrityData--)
HighIntegrityData++;
Policies
 All
8- and 16-bit immediates are low
integrity
 All 8- and 16-bit loads/stores have the
integrity of the addresses used checked
 Misaligned 32-bit loads/stores are
assumed low integrity
Attacks By Others
Attack
Known
Exploit?
Remote?
Vulnerability
Caught?
Linux wu-ftpd
No
Remote
Heap globbing
Yes
Code Red II
Yes
Remote
Buffer overflow in ASCII to
UNICODE conversion
Yes
SQL Server
2000
No
Remote
Buffer overflow in
authentication
Yes
Analyzing Attacks
 Minos
detects attacks at the critical
point where control flow is being
transferred from the legitimate program
execution to somewhere else.
 The process’ address space is exactly
the same as it would be on a vulnerable
host.
Linux wu-ftpd
or
or
or
nop
nop
nop
nop
nop
xchg
loope
or
x)
mov
sub
$0xeb,%al
$0xeb,%al
$0x90,%al
jmp
0x807fd86
nop
nop
nop
nop
nop
nop
xchg %eax,%esp
%eax,%esp
loope 0x807fd89
0x807fd89
or
%dl,0x43db3190(%ea
%dl,0x43db3190(%ea
x)
mov
$0xb51740b,%eax
$0xb51740b,%eax
sub
$0x1010101,%eax
$0x1010101,%eax
Linux wu-ftpd (continued)
0x807fdb2:
xor %ebx,%ebx
(%eax),%al
mul %ebx,%eax
0x807fdb4:
%al,(%eax)
dec %dl
0x807fdb6:
pop %ecx
%al,(%eax)
0x807fdb8:
push $0x3
%al,(%eax)
pop %eax
0x807fdba:
%al,(%eax)
int
$0x80
; read(1, 0x807fdb2,0x807fdbc:
%al,(%eax)
3);
0x807fdbe:
%al,(%eax)
jmp 0x807fdb2
0x807fdc0:
call 0x807fd9f
$0x91c,$0x8
0x5a 0xcd 0x80 == pop edx; int
$0x80
0x807fdc4:
or
add
add
add
add
add
add
enter
(bad)
Code Red II
GET
/default.ida?XXX…
XXX%u9090
%u6858%ucbd3%u78
01%u9090%u6858
%ucbd3%u7801%
u9090
%u6858%ucbd3%u78
01%u9090%u9090
%u8190%u00c3%
u0003
%u8b00%u531b%u53
ff%u0078%u0000
%u00=a HTTP/1.0
nop
; 90
nop
; 90
pop EAX
; 58
push 7801cbd3
; 68d3cb0178
add DL, DS:[EAX + cbd36858] ;
2905868d3cb
add DS:[EAX + 90], EDI
; 017890
nop
; 90
pop EAX
; 58
push 7801cbd3
; 68d3cb0178
nop
; 90
...
nop
; 90
add EBX, 00000300
; 81c300030000
mov EBX, DS:[EBX]
; 8b1b
push EBX
; 53
call DS:[EBX + 78] ; ff5378
SQL Server 2000
0x804964b
0x804964c
0x8049651
0x8049657
0x804965a
0x804965b
0x8049660
0x8049661
<one+619>:
<one+620>:
<one+625>:
<one+631>:
<one+634>:
<one+635>:
<one+640>:
<one+641>:
push
mov
xor
cmp
stos
mov
inc
iret
%edx
$0x79bababa,%ebx
%eax,0x5f33ef9e(%esi)
0xffffffaa(%esi),%edx
%al,%es:(%edi)
$0x8539fdba,%edx
%ebp
0x804962b <one+619>:
<one+625>
0x8049630 <one+624>:
0x8049631 <one+625>:
0x8049634 <one+628>:
0x8049635 <one+629>:
0x8049637 <one+631>:
0x804963d <one+637>:
0x804963e <one+638>:
$0xffffffff,(%edi)
call
0x8049631
ret
mov
push
mov
sub
inc
cmpl
(%esp,1),%edi
%ebp
%esp,%ebp
$0x1010,%esp
%edi
Current Best Practices
 Non-executable
pages
 StackGuard
 Random
placement of library routines
Hannibal
 Format
string vulnerability in wu-ftpd
 Our goal:
 Upload
a binary called jailbreak via
anonymous FTP
 Switch rename(char *, char *) to
execv(char *, char **)
 Switch syslog(int, char *, int) to malloc(int)
 Request to rename jailbreak becomes
execv(“/jailbreak”, {“/jailbreak”, NULL})
Future Work
Data Mark Machine using Denning’s
Information Flow Lattice Model and hardware
supported heap and stack mechanisms to
overcome the fundamental tradeoff
 Davis Collaborative Defense




Buttercup
DACODA
Minos
Conclusion
 Minos
catches all known attacks we
tested with a zero false positive rate
 Attack is caught at the critical point
where control flow is transferred from
the legitimate program execution to
someplace else.
Questions?
 [Crandall,
Chong. MICRO-37]
 http://minos.cs.ucdavis.edu
 If
you can break into it please leave a *.txt
file in the /root directory explaining how.
 Acknowledgments

This work was supported by NSF ITR grant CCR-0113418, an NSF
CAREER award and UC Davis Chancellor's fellowship to Fred
Chong, and a United States Department of Education Government
Assistance in Areas of National Need (DOE-GAANN) grant
#P200A010306 as well as a 2004 Summer Research Assistantship
Award from the U.C. Davis Graduate Student Association for Jed
Crandall.
Virtual Memory Swapping
Memory
Swap drive
4kb Page w/ tags
Tags (128 bytes)
4kb Page w/ tags
4kb Page (no tags)
Virtual Memory Swapping
Experimental Methodology
 Minos-enabled
Linux vs. unmodified
Linux
 1.6 GHz Pentium 4 with 256 MB RAM
 512 MB Swap Space
 Used mlocks() to take away memory
 4 SPEC2000 benchmarks
vpr
mcf
gcc
bzip2
DMA and Port I/O
 All
DMA and Port I/O is assumed high
integrity
 Any
data off the network will be read and
forced low integrity
 It will stay low integrity because of the
establishment time requirement
 Consider
the alternative
JIT Compatibility
 Sun
Java SDK must be run in
compatibility mode:
 All
8-bit and 16-bit immediates are high
integrity
 Setuid programs run in compatibility mode
will be squashed similar to a ptrace
 For
security reasons, the JIT should be
slightly modified